Policy Resolution and Enforcement of Privileges in a Grid Authorization System Based on Job Properties Sang-Min Park, Glenn Wasson, and Marty Humphrey.

Slides:

Advertisements

Similar presentations

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu

Advertisements

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab

The Community Authorization Service: Status and Future Ian Foster 1,2, Carl Kesselman 3, Laura Pearlman 3, Steven Tuecke 1, Von Welch 2 1 Argonne National.

GT 4 Security Goals & Plans Sam Meder

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.

FP7-INFRA Enabling Grids for E-sciencE EGEE Induction Grid training for users, Institute of Physics Belgrade, Serbia Sep. 19, 2008.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.

Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.

Code Access Security vs. Role-Based Security  RBS  Security identity attached to user accounts  Access to resources specified according to user’s group.

Globus Computing Infrustructure Software Globus Toolkit 11-2.

Minerva Infrastructure Meeting – October 04, 2011.

Kate Keahey Argonne National Laboratory University of Chicago Globus Toolkit® 4: from common Grid protocols to virtualization.

.NET, and Service Gateways Group members: Andre Tran, Priyanka Gangishetty, Irena Mao, Wileen Chiu.

OSG End User Tools Overview OSG Grid school – March 19, 2009 Marco Mambelli - University of Chicago A brief summary about the system.

Digital Object Architecture

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.

GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.

1 22 August 2001 The Security Architecture of the M&M Mobile Agent Framework P. Marques, N. Santos, L. Silva, J. Silva CISUC, University of Coimbra, Portugal.

Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.

Blueprint Meeting Notes Feb 20, Feb 17, 2009 Authentication Infrastrusture Federation = {Institutes} U {CA} where both entities can be empty TODO1:

Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.

Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.

Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.

VOMRS/VOMS-Admin Convergence and VO Services Project Status Tanya Levshina Computing Division, Fermilab.

Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local.

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.

Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.

CHEP03 Mar 25Mary Thompson Fine-grained Authorization for Job and Resource Management using Akenti and Globus Mary Thompson LBL,Kate Keahey ANL, Sam Lang.

Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.

June 24-25, 2008 Regional Grid Training, University of Belgrade, Serbia Introduction to gLite gLite Basic Services Antun Balaž SCL, Institute of Physics.

Ames Research CenterDivision 1 Information Power Grid (IPG) Overview Anthony Lisotta Computer Sciences Corporation NASA Ames May 2,

Legion - A Grid OS. Object Model Everything is object Core objects - processing resource– host object - stable storage - vault object - definition of.

Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.

Scalable Grid system– VDHA_Grid: an e-Science Grid with virtual and dynamic hierarchical architecture Huang Lican College of Computer.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.

Trusted Virtual Machine Images a step towards Cloud Computing for HEP? Tony Cass on behalf of the HEPiX Virtualisation Working Group October 19 th 2010.

Grid Authorization Landscape and Futures Von Welch NCSA

6/23/2005 R. GARDNER OSG Baseline Services 1 OSG Baseline Services In my talk I’d like to discuss two questions:  What capabilities are we aiming for.

VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.

OSG AuthZ components Dane Skow Gabriele Carcassi.

Rights Management in Globus Data Services Ann Chervenak, ISI/USC Bill Allcock, ANL/UC.

EMI INFSO-RI Argus Policies in Action Valery Tschopp (SWITCH) on behalf of the Argus PT.

Globus and PlanetLab Resource Management Solutions Compared M. Ripeanu, M. Bowman, J. Chase, I. Foster, M. Milenkovic Presented by Dionysis Logothetis.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

VO Box Issues Summary of concerns expressed following publication of Jeff’s slides Ian Bird GDB, Bologna, 12 Oct 2005 (not necessarily the opinion of)

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

Dynamic Creation and Management of Runtime Environments in the Grid Kate Keahey Matei Ripeanu Karl Doering.

Ákos FROHNER – DataGrid Security n° 1 Security Group TODO

Open Science Grid Build a Grid Session Siddhartha E.S University of Florida.

VOX Project Tanya Levshina. 05/17/2004 VOX Project2 Presentation overview Introduction VOX Project VOMRS Concepts Roles Registration flow EDG VOMS Open.

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

Security-Enhanced Linux Stephanie Stelling Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK

OSG Status and Rob Gardner University of Chicago US ATLAS Tier2 Meeting Harvard University, August 17-18, 2006.

ACGT Architecture and Grid Infrastructure Juliusz Pukacki ‏ EGEE Conference Budapest, 4 October 2007.

Trusted Virtual Machine Images the HEPiX Point of View Tony Cass October 21 st 2011.

INFSO-RI Enabling Grids for E-sciencE GUMS vs. LCMAPS Oscar Koeroo.

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Introduction Salma Saber Electronic.

Dynamic Accounts: Identity Management for Site Operations Kate Keahey R. Ananthakrishnan, T. Freeman, R. Madduri, F. Siebenlist.

Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.

Implementing Active Directory Domain Services

CRC exercises Not happy with the way the document for testbed architecture is progressing More a collection of contributions from the mware groups rather.

PLANNING A SECURE BASELINE INSTALLATION

a middleware implementation

Presentation transcript:

Policy Resolution and Enforcement of Privileges in a Grid Authorization System Based on Job Properties Sang-Min Park, Glenn Wasson, and Marty Humphrey University of Virginia Supported by the US Department of Energy (Early Career Program), the National Science Foundation under grants SCI , SCI , and SCI , and Microsoft.

2 Overview Background GRID Authorization Job-property Authorization Performance Evaluation Conclusion

3 Never happen?

4 Remote Execution in GRID GRID Middleware 2. Authentication (Mutual) 3. Authorization 1. Job Submission (w. executable path, arguments, stdin/out…) Fred’s DN  local account /C=US /O=UVa /CN=Fred 4. Resource Allocation & Process Execution (Enqueue or fork) 5. Status Monitoring & Job Management Local Resource Manager Local site Remote site

5 Existing GRID Authorization ‘grid-mapfile’ approach The early day’s mechanism to authorize GRID user Map the GRID level ID (X509 DN) to a local account (e.g., /C=US/O=UVa/OU=CS/CN=Fred foo) The auth. decision is enforced by O/S’s security system Still the most widely used authorization scheme Limitations Huge administrative burden – every GRID user should have an account on resources Limits VO scalability

6 Existing GRID Authorization VO Authorization Infrastructure Manage community member’s privileges within VO Mostly role-based authorization Example systems Community Authorization Service (CAS) - -Use SAML to carry the fine-grained authorization assertion - -Proxy cert is used to securely deliver the assertion to resources - -GridFTP interprets the access control primitive in the assertion VO Management Service (VOMS) - -VOMS server issues the user’s role in the VO - -Resource interprets the role by mapping it to a local account PRIMA (Open Science GRID) - -VOMS server issues role - -GUMS server, per site, maps the role to local account - -No more ‘grid-mapfile’ within resource

7 What are the problem? Fred has a scientist role in VO What if his account is compromised? What if his binary is compromised? What if Fred is a bad guy? … Scientist role can access enormous amount of GRID resources…Guess what? Not safe to assume the role/identity will do what it is supposed to do!

8 Job Property Authorization Take this part for authorization decision What it is supposed to do  Job’s property or behavioral requirements VO determines the job’s property and issues certification about it Resource recognizes the property and enforces it accordingly Not safe to assume the role/identity will do what it is supposed to do !

9 Job Property Authorization - Scenario Remote Resources I want to run Matlab on GRID /C=US /O=UVa /CN=Fred Fred’s execution of Matlab will require: * Maximum 10 hours of running time * 128 MBs of memory * Write access to /home/vo/cms Matlab for Fred Running Time: 10 hours Memory: 128 MBs …… File Access: write …… I want to run Matlab and here is the certified job property document Job property doc Ok, I will accept the job property but will enforce my own policy in addition to VO policy

10 Job Property Authorization Four issues in the Job Property Authorization 1. 1.The language to express the fine-grained job property 2. 2.How the remote resource can securely retrieve the job property? 3. 3.Multiple policy resolution (Job property as VO policy, Site policy, and more) 4. 4.How to enforce the fine-grained job property within remote execution system?

11 Job Property Authorization- Prototype Development CAS as a VO job property authorization server SAML as a language to express the job property (1) Proxy certificate as a medium to securely hold and deliver the job property (2) Multiple Policy Resolution – Site policy + Job Property (3).NET CLR Sandbox as an enforcement mechanism (4)

12 Dynamic and fine-grained Authorization Enforcement Account-based system - -Statically or dynamically maps to the existing account - -Coarse granularity of privilege configuration OS-level Virtual Machine (e.g., VMWare and Xen) - -Newly instantiate guest O/S on top of host O/S - -Guest O/S become the sandbox to the host O/S - -Performance overhead is big (esp. Instantiation delay) App-level sandbox - -Monitoring process intercepts system calls and enforce policy - -Every system call is examined  overhead is big Language Runtime VM (.NET CLR and JVM) Sandbox Runtime enforces the fine-grained access control Utilization in GRID has not been examined

13 Job Property Authorization- Prototype Development Novel use of CAS VO Admin inputs Job Properties and maps them to members SAML for encoding Job Property Use GT4 client tools (e.g., globus-run, cas-wrap, and etc) Compatible to GT4 GRAM WSRF-based implementation Run as Windows service Invoke.NET CLR Multiple Policy Resolution CLR Sandbox Configuration

14 Job Property Authorization- Prototype Development SAML for job property authorization Single auth. Decision carries multiple actions Each action maps to job property <Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID=“ Issuer="C=US,ST=Virginia,L=Charlottesville,O=University of Virginia,,CN=PKI Master" MajorVersion="1" MinorVersion="0"> /C=US/O=University of Virginia/OU=UVA Standard PKI User/ Park write/ WORKING_DIR read/WORKING_DIR execution/WORKING_DIR\\bin socket/cs.virginia.edu

15 Policy Resolution Granting the least amount of privileges Both job property given from VO and site policy describes multiple fine-grained permissions Least amount of privilege Intersection of permission sets “and” relation for logical permission Intersection of file path resolution C:\ C:\VO1 C:\VO1 C: \VO1 C:\VO1\Matlab C:\VO1\Matlab Yes C:\Temp No No No No … Yes … …

16 Evaluation Quantitative Evaluation Run hello-world application Measure time to execute binary in resource Overhead due to Job Property Authorization Policy Resolution Time CLR Sandbox Configuration Time Compares with Baseline case Choose sufficiently large amount of entries in Job Property and Site policy

17 Evaluation 100 $VOBasePath NO No NO No Yes No Yes No Yes No Site Policy in Evaluation

18 Evaluation Job Property Document in Evaluation read/VO_APPLICATIONS_PATH read/VO_LIBRARY_PATH read/VO_SHARED_PATH read/VO_TMP_PATH read/VO_UTILS_PATH read/VO_BIN_PATH read/DEFAULT_WORKING_DIR write/DEFAULT_WORKING_DIR write/VO_SHARED_PATH write/VO_TMP_PATH socket execution registry db_connection call_unmanaged_code environment_var

19 Evaluation Base line-No auth. (ms) Job Property Authorization (ms) GRAM.NET CLR Creation Time Policy Resolution Time 43.1 Sandbox configuration time Logging Total ms overhead due to Job-Property Authorization

20 Evaluation Interpretation of result Majority time is CLR creation (≈ 600 ms) CLR pooling might be helpful CLR sandbox configuration time is also long (≈200 ms) Less than 1 second for invoking remote process within a site with Job Property Authorization

21 Conclusions Job Property Authorization: authorization per Job is more secure than authorization per identity Implemented the Job Property Authorization prototype using the CAS, SAML, and.NET CLR Overhead due to Job Property Authorization is not very significant for most GRID applications

22 Future works The mechanism by which the VO determines the behavior and property of the job that its members run Predefined and limited set of application By recording and collecting the Vo-wide job execution history? Language Framework for general-purpose Job Property Specification Neutral to enforcement mechanisms Binding to enforcement mechanisms with varying degree of fine-granularity

23 Thank you! Questions ?